The comments on the government's draft Act on Poland's Presidency of the Council of the EU in 2025
The changes to the law are intended to increase the security of events taking place in Poland, which will assume the Presidency of the Council of the EU on January 1, 2025. According to the President, the proposed regulations require clarification on issues related to the processing of personal data by the services.
While taking care of the security of citizens and guests of events organised by Poland from January 1 to June 30, 2025 cannot be questioned, the services should not be given blanket powers to process personal data.
This is a draft Act on specific solutions in connection with the preparation and exercise by the Republic of Poland of the Presidency of the Council of the European Union in the first half of 2025. The draft was not consulted with the Personal Data Protection Office at the governmental stage of the process. However, during this term, the Marshal of the Sejm (lower chamber of the Polish Parliament) has adopted the principle of collecting comments on all drafts, so that the pace of work does not justify omitting important positions.
Thus, the President of the Personal Data Protection Office, Miroslaw Wroblewski, presented his position on May 30, 2024, in response to a letter from the head of the Chancellery of the Sejm.
Fundamental doubts about the draft lie in the fact that the draft - although it concerns the processing of personal data - was created without an analysis of its effects on the protection of such data. Meanwhile, according to Article 35 of the GDPR, it is desirable that an assessment of the impact of the envisaged processing operations on the protection of personal data be made already as part of the impact assessment in connection with the adoption of the legal basis. However, as the earlier analysis of the President of the Personal Data Protection Office for the Sejm shows, this desirable element of the impact assessment was repeatedly overlooked in the developing government drafts.
Had the drafters conducted such an analysis, they could have detected the shortcomings of the regulation in the area of personal data protection themselves. Indeed, a properly conducted impact assessment should indicate the relationship between operations performed on personal data and the specific purpose and means of processing them. And this is not present in the draft. Indeed, it does not indicate precisely:
- what data of persons designated to contact the relevant services will be processed,
- what guarantees are in place that the data will be processed only to the extent necessary to achieve the purposes indicated, related to, among other things, ensuring security,
- how data and opinions on individuals or entities will be transferred to law enforcement authorities (in particular, with regard to the purpose, form and mode of their disclosure under the proposed regulations),
- after what time the services should delete the collected data (the draft does not indicate the period during which retention, i.e., storage of data, will be possible).
As a result, the draft assumes the granting of blanket powers to the services: there is a lack of clarity regarding the data to be processed and the way in which the obligations under the General Data Protection Regulation will be implemented, and consequently, also the responsibility of the services for the personal data they will process (lawfulness, transparency and fairness , and accountability).
The opinion of the President of the Personal Data Protection Office to the government draft Act on the Polish Presidency of the Council of the EU in 2025 is available in the file attached below.
